How Do Credential Stuffing Attacks Work?

Credential Stuffing Attack Techniques

One of the unique features of a credential stuffing attack is that the hackers are doing almost none of the infiltration and groundwork themselves. The technique requires the use of a username and password lists from other sites that were hacked in the past.

Once a hacker has a list of old, unencrypted username and password pairs, there are several ways to try to re-use this information. The first and most common is to simply try those same credentials on every popular website on the top 100 lists of the biggest countries in the world. Using a relay and hitting the most visited sites in the U.S., India, China, Indonesia, and Pakistan will give you a great cross-section of foreign and domestic visitors to a few hundred wildly popular websites.

Of course, the more information that the hacker has, the more specifically they can target. If the original list came from a dog owner's website, for example, then they could use a list of a thousand shopping sites and pet-related sites as their base. If it came from an adult erotic site, they could try to re-apply that set to other sites in the same genre.

But further research can really help refine the attack, particularly if the hacker has narrowed in on a specific subset of targets… say people who work at a certain business or people who they think can pay a significant ransom if they find anything incriminating on other accounts. More tightly targeted credential stuffing attempts to find out more real-world information on the targets, and search for E-mail addresses and business profiles related to those names. From there, they can pick up new user names to pair with the old passwords, to see if they can get lucky.

Why do credential stuffing attacks work? Humans are creatures of habit. And often, those habits are lazy. Reusing the same usernames and passwords across multiple sites is just easier. Not turning on additional protection that might ‘slow them down' is just another symptom of this. Surprisingly smart people that should really know better are still susceptible to credential stuffing because a certain percentage of them will be too lazy to vary their credentials.

Some 68% of Americans have used the same passwords on multiple sites. And 25% of employees use the same exact credentials on all of their accounts. Sure, some amount of people will have changed that commonly used password on all of their accounts. And others will have changed their username due to preferences, marriage, or switching E-mail providers. But around 2% of the accounts found on a relatively fresh hack list will be vulnerable to credential stuffing.

Isn’t it frustrating for hackers to fail 49 times for every one time they succeed? No, because the majority of these attacks are automated. At least until the username and password pair are proven to be working, then a real human might take over. Failures are only seen and recorded in the automation logs to avoid duplicating efforts.

Credential Stuffing Attack Resources

So where do attackers get the username and password lists for their attacks? A variety of places, both paid for and free. Highly public hacks will have their results dumped in a public forum, such as 4Chan. Hacks behind a paywall will usually get sold on the dark web, in exchange for the right amount of cryptocurrency. Other sources might be private chats, Torrents, Cloud servers, or even IRC.

Billions of credentials get leaked every year from hacked websites and infrastructure. Compromised passwords account for 84% of data breaches. Generally speaking, the question isn’t if a credential stuffing attack will result in hacked accounts. It’s simply a question of ‘how many’. Fresher and more exclusive credential lists used as authentication sources result in a higher success rate.

Then, all the hacker needs is an automation tool. There are plenty of frameworks available for open source tools like Selenium and OpenBullet, so they don’t need to spend a penny here. Botnets can be used to distribute the workload and make the login attempts less obvious to the target sites.

Protecting Your Accounts And Your Privacy Online

There are three steps to protecting yourself from credential stuffing attacks: Using unique login information, using two-factor authentication, and maintaining your privacy.

At the most basic level, the best way to stop credential stuffing is to never use the same password twice. A central password manager can help with this by generating complex and entirely random passwords for each site you visit.

Next, activate two-factor authentication (2FA) for every site that has it available. 2FA means that the attack needs more than just your username and password to log in. They need your 2FA device, which is often linked to your mobile phone or a hardware authentication device.

Finally, in order to avoid the more sophisticated methods of linking your accounts to your identity, a privacy addon is a must. Software like Hoody can obscure your web browser’s fingerprint, help you avoid government monitoring, and keep your online identities completely independent and separate by obscuring details such as your IP address and country of origin.

Credential stuffing is becoming even more common with the massive number of hacking incidents in the Covid 19 era. Take all necessary precautions to protect your accounts and your identity.